> Most sys admins trounce through the crime scene > as you described without realize the cost of their > actions on the evidence until it is too late. Or at all. One investigation I had was over before it started. The sysadmin (in OH) reported he had received "a ton of" failed login attempts from a user (in FL). This 'suspicious activity' was in actuality 3 events spread across 2 print servers. The admin admitted to me that he'd mapped the user's drive and began roaming around the file system w/ Explorer, looking at email, files, etc. I got this all after the fact. Oh, and the admin had was a former cop. Go figure. > Sys admins are trained to keep > their systems running and configured properly, their > first thought is > not crime scene preservation as we all would like. Agreed. This is a training issue, but it is also a management issue. It's a management issue b/c it's management's responsibility to see that the IT staff is trained, but it's also management's role to have say over how the IT staff spends their time. Right now, many sites have under-trained and under-manned staffs trying to keep systems up. If management allocated the appropriate resources, things would be different. Also, how many sites actually do employee performance reviews? I mean, official reviews, conducted by management. Not many that I've seen. I think this would go a long way toward overall security, as well. After all, if you sit an admin down, and tell him you're going to evaluate him on his performance...the contents of his reports regarding events recorded by the system, results of system scans for compliance w/ policy, etc...and then you actually track these items, that admin would put some effort toward meeting those requirements, don't you think? > Monetary > losses are the best example of how time could be a > factor. Especially > since most sys admins know that 99 percent of all > glitches are not crime related. This is an excellent example. Troubleshooting and incident response skills go hand in hand, particularly with mission-critical servers in which down time means lost money. How much time would it take to make a bit-image copy of the drives (such servers would likely use multiple drives in a RAID 5, hot-swappable config)? Now, with some investigation, some 'touching of the system', the admin could retrieve information that would allow management to make a sound decision regarding whether or not to take the system down. > The incident verification principals should be: > > 1. Avoid paralysis > 2. It is OK to touch the system. Even if > performing a methodical > search you will need to interact in some way. > (doing nothing ALSO changes the system). Right. As time passes, IP endpoints time out, network connections expire, intruders continue their activities, and users log out. Inactivity and indecisiveness by an admin or manager could have an effect on the outcome of an investigation. > Gather evidence, even in the > most time consuming > undisturbing way... changes the system. Have > procedures and train to them. That's the most important point. Having a procedure or methodology is actually the easiest way to handle things. Methodologies can be changed. Having someone "pull it out of thin air" each time doesn't leave any room for modification. Procedures, in accordance with policy, need to be determined ahead of time, and checklists and training included. > 3. Document everything. If you know an action might > have an unknown > affect as many do, record it. You can testify it > was you later on. > Also good to have a recorder watch you or video tape > your actions. Military officers know that documentation is king. If you didn't document it, it didn't happen. And again we come back to management...if management doesn't allocate the appropriate resources to ensure that there enough trained personnel on staff (notice that I haven't said that you have to have one or two people specifically dedicated to forensics ONLY...it's more like special forces, where everyone knows two or three jobs), with the appropriate equipment and direction, it will all break down. __________________________________________________ Do You Yahoo!? Buy the perfect holiday gifts at Yahoo! Shopping. http://shopping.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Dec 03 2001 - 17:59:50 PST